Rude.com is an online adult community with a large number of members. Its pretty heavy and stuffed with alot of features in their desire to unite several adult services into one large site. Such features as porn videos, amateur videos, amateur live cams, private cams, social network, xxx games etc., seem to manage to attract some attention to it.

Yet, visiting rude.com can be a hazard for you. Why?

You can insert javascript in any comments box of each profile. I dont mean inserting the script in your own profile but the possibility to do this with ALL the profiles on the website.

This vulnerability is extremely dangerous for rude.com users especailly when we know there are payed services on the website. Wouldn’t want to be one of their paying members.

Suppose you are a paying client and want to see a live xxx show. You buy some chips (credit) and while you do that, your session cookie gets stolen. Next thing you know, your card is being used by someone else. And here you are faced with two options:

1. You dont notice that and you dont take any counter measure.

2. You notice and make a chargeback and the model and the website loses their money. Your credit score is affected, the website gets a bad reputation and the model is left with no money.

Of course this kind of vulnerability can be used for phishing, generate traffic on other websites or to hide some XSS attacks targeting other websites (yahoo, gmail, ebay, paypal etc.).

The possiblity to insert an XSS worm is extremely simple and the owners of this website know about this isue for over a year and still, nobody seems to bother.